Continuous Auditing technology adoption in leading internal audit organizations
Miklos A. Vasarhelyi, Professor, Rutgers University, email: miklosv@andromeda.rutgers.edu Siripan Kuenkaikaew, Ph.D. Student, Rutgers University James Littley, KPMG Katie Williams, KPMG Working Paper Abstract: The umbrella of advanced technology covers a range of techniques widely used in the U.S. to provide strategic advantage in a very competitive business environment. There is an enormous amount of information contained within current-generation information systems, some of which is even processed on a real-time basis. More importantly, the same holds true for actual business transactions. Having accurate and reliable information is vital and advantageous to businesses, especially in the wake of the recent recession. Therefore, the need for ongoing, timely assurance of information utilizing continuous auditing and continuous control monitoring methodologies is becoming more apparent. To that end, we have prepared and conducted interviews with the internal audit departments of 9 leading organizations to examine the status of technology adoption, to evaluate the development of continuous auditing, and to assess the use of continuous control monitoring. We found that several companies in our study already have employed some types of continuous auditing and continuous control monitoring technologies, and others are attempting to adopt more advanced audit technologies. According to our audit maturity model, all of the companies are between traditional audit stage and emerging stage, and have not yet reached the continuous audit stage. The interviews indicate a progressive acceleration of the rate of technology adoption, despite the presence of several obstacles. 1. Introduction Continuous auditing (CA) is a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter (CICA/AICPA, 1999). This concept is not new; CA has been explored in internal audit circles since the 1970s (Heffes, 2006). The rate of adoption of continuous auditing has gradually increased over the years; however, most adoptions remain in the preliminary phrases. This paper aims to study the status of technology and continuous auditing technology adoption in leading U.S. organizations. By analyzing the drivers and barriers that affect the adoption of continuous auditing and continuous control monitoring in organizations, we will gain a better understanding of the stage of development and usage of the technology. The study will be beneficial to the management of companies that either have already adopted CA or are seeking to adopt CA technology. Our findings will provide guidance to internal audit departments tasked with making long-term CA decisions. Technology adoption is by no means a new subject for academic research. Karahanna et al. 1999 have investigated Windows technology adoption across time. Troshani and Doolin (2005) have studied the impact of XBRL technology in Australian organizations. Organizational characteristics on integrated services digital networks (ISDN) adoption decision were examined by Lai and Gynes in 1997. Additionally, some researchers explored perceived importance of IT in audit applications (Janvrin et al. 2008), and challenges of continuous audit, focusing on the audit report lag identified by partners of a Big 4 accounting firm (Searcy et al. 2002). However, there is yet no research studying technology adoption in internal audit or continuous audit departments. The remainder of this paper is divided into six sections. The following section provides an overview of continuous auditing. The third section presents a review of the prior literature, underlying theory and concepts for interview guide development. Methodology is discussed in the fourth section. Section five presents interview results. Analysis of results is in section six, followed by conclusions. 2. An overview of continuous auditing The CICA/AICPA defines continuous auditing as the generation of written assurance simultaneously or a short period of time after the occurrence of the assured events. To achieve that purpose, continuous auditing may have to rely heavily on information technologies such as broad bandwidth, web application server technology, web scripting solutions and ubiquitous database management systems with standard connectivity (Sarva 2006). Since the Enron and WorldCom scandals, management and executives are dramatically aware of the presence and impact of control breach. Section 302 of the Sarbanes-Oxley Act (SOX) mandates that the company board should certify and approve financial reports on quarterly basis. Under SOX section 404, management is required to document and test the companys internal controls over financial reporting. These processes are costly and require substantial effort from relevant parties. More relevant to our discussion, SOX section 409 requires a real-time disclosure on information or material change on financial condition or operation of a company. This requirement accelerates the reporting timeline in section 13 of the Securities Exchange Act of 1934. 2 Timely monitoring that identifies irregular events is necessary in order to comply with the regulations, and cannot be fulfilled with traditional audit. Searcy and Woodroof (2003) suggest that more frequent reporting should reduce uncertainty and enhance investors perceptions of a company, and that more frequent audit should ensure data integrity. All of these SOX provisions and post-SOX findings emphasize the importance of, and have generated demand for, CA. It can satisfy the impending need for real time audit and report, and can enable both internal and external auditors to execute their new functions. With technology-enabled continuous auditing, internal auditors can improve assurance quality, gaining the ability to audit 100 percent of transactions as opposed to just samples (OReilly 2006). In 2006, PricewaterhouseCoopers conducted their State of the Internal Audit Profession study, surveying 392 companies, to capture the internal audit professions view toward continuous auditing. They found that 81% of surveyed companies had a CA or CM process in place or planned to develop one. The percentage of companies that developed CA systems increased significantly from 35% to 50% during 2005 to 2006. 56% of the respondents had both manual and automated CA processes. Most of the continuous auditing cycle is quarterly. These findings clearly support the usefulness of continuous auditing. By expanding the scope and frequency of audit processes, technology-enabled CA provides the means for internal audit to strengthen reporting and communication with senior management and the audit committee, and delivers more effective independent assurance to key stakeholders (PwC 2006). 3. Literature review Prior literature extensively examines technology adoption across diverse fields, including the studies of continuous auditing under various perspectives. CA relies heavily on existing IT; there is no exclusive technique or process for companies. There are different alternatives of technologies and several characteristics of organizations that will determine what kind of technology they will adopt, and to what degree. The question regarding executives decisions is not whether or not they will adopt CA, but when (Hall and Khan 2003).The key factors that influence their decision should be explored. Management support Investment decisions usually come from top management. Management support is critical for successful implementation, especially for a project that requires a large budget and affects operational processes. Additionally, we must consider that under a CA/CM framework, external auditors must have access to the systems and data of auditees (Handscombe 2007). Such access requires management approval. With a CA approach, some internal audit processes may be changed; for example, audits will occur more frequently, but fewer manual procedures will be involved. In addition, appropriate response from management to audit exception reports is crucial. For instance, a system with integrated automated audit modules may issue a warning report or alert to both top management and the auditor, and management must take appropriate action and/or have appropriate responses (Sarva 2006). Management has a crucial role in implementing continuous auditing technology. Employee knowledge Hall and Khan (2003) posited that the adoption of a new invention might be slow if the success of the implementation depends upon the costly acquisition new and complex skills. Even though some applications allow users to easily execute their work without required knowledge, users still need to have some basic understanding for the applications to work efficiently. In Troshani and Doolins 2005 XBRL adoption study, an interviewee explained that it is easier to use a tool when you understand the fundamental technology underneath it. In addition, Arnold and Sutton (1998) found that there is a high risk of failure if a user with insufficient knowledge has to use intelligent decision aids. Failure in this situation may lead to legal liability, and that prospect could influence the management to decline the use of technology to assist auditing. As stated earlier, continuous auditing relies heavily on advanced technology that assists an internal auditor in investigating irregular transactions. Thus, it requires that internal auditors as users have either some basic knowledge or skills concerning the implemented tools, or a capability to learn. Employee qualification is a critical success factor for CA adoption. Perceived cost Among the studied characteristics that influence technology adoption, one of the most important is cost. In this context, cost is not the actual price of adoption, but rather the perception of that cost to the adopting parties. There are two main schools of thought on this issue. On one hand, researchers believe that a decision to adopt new technology depends on the cost perceived by the decision makers. The adoption would thus take place when perceived benefits exceed perceived costs (Hall and Khan 2003). Taylor and Murphy (2004) have suggested that high set-up and ongoing costs could be barriers to the implementation of technology. There also exists research finding that cost is no longer a major hurdle for continuous auditing adoption. There has been a dramatic drop in the cost of implementation CA and in the availability of support technology (Searcy and Woodroof 2001). A PwC 2006 survey found that only 12% of companies cited cost as their primary obstacle to adoption. 3 Regulation and compliance In 2002, the Securities and Exchange Commission (SEC) released regulation 33-8128, requiring public companies to accelerate the submission of financial reports. An annual report timeline is changed from 90 days to 60 days, and a quarterly report time-line is changed from 45 days to 35 days. It is believed that the timeliness of financial information provides more value to the users of that information (Behn et al. 2006). In a similar vein, Gray and Shadbegian (1998) studied the effects of an environmental regulation on investment decisions made in paper mills. Using census data, they found that new plants located in the areas that have rigorous regulations were more likely to adopt production technology that causes less pollution. SOX section 404 has a major impact on management and auditors, since it involves internal controls quality assurance and on-time reporting. As a result, many executives are considering continuous auditing as a solution to comply with the regulation (Handscombe 2007). A 2006 PwC survey confirmed that compliance with SOX had been demanding, and the efforts of internal auditor to comply with this act are significant. As a result, the presence of demanding regulations and management decision to adopt technology are expected to have a positive relationship. 4. Methodology Field research methodology has been employed. Even though this kind of research may suffer from the generalization problem, it provides potentially rich information and detailed understanding (Clegg et al., 1997). The study examines the status of continuous auditing and monitoring adoption in leading edge organizations through directed interviews with internal auditors, internal audit management, and IT internal auditors applying technology related to continuous monitoring. The aim is to understand what makes a firm an early adopter of CA/CM, the HR and process implications to pursuing CA/CM, and the specific technologies they use. We are interested in the strengths and weaknesses of their approaches, the implementation challenges they face, and how they are attempting to overcome them. A semi-structured interview provides insights for identifying and understanding viewpoints, attitudes and influences (Troshani and Doolin, 2005). Interviews were conducted face-to-face through site visits. Interviews lasted approximately 3 to 4 hours per company. Interviews were tape-recorded when possible and transcribed afterwards. Interviewees were selected from the internal audit department. At least four employees were interviewed per organization to ensure validity, information completeness, and a range of points of view. In addition, more than one interviewer conducted the interviews (Troshani and Doolin, 2005), and analyzed the results simultaneously. 5. Interview result Due to space restrictions, the interview results of only 4 companies are presented here. Consumer 1 Overview The company is a decentralized and entrepreneurial organization with $40 billion in sales, 60% in the United States and Canada and another 40% in other countries worldwide. The company operates in 90 countries, and sells to 200 countries. Currently, they are implementing SAP in the USA and other countries. Human resources There are 3 financial audit directors in the internal audit department, one responsible for all US and Canada branches, and the other two in charge of international branches. All of the internal audit staff works within a roll-in, roll-out scheme. They join the company roll in for a few years and then leave roll out to join another company to gain business experience. They may re-join later with higher positions. The vice president of internal audit reports directly to the CFO and the Committee Chairman. The committee meets 5 times a year. The IT audit team has 9 members with 4 managers worldwide. Initially, IT worked manually and tested normal IT general controls. Presently, the team does more technical audit work such (e.g. networking, operating system and database review); therefore, more tools are deployed to facilitate these tasks. Sometimes, the team co- sources with outside specialists to review the network utilizing special tools. There are 2 training sessions a year which bring all team members together for one week to train both technical and soft skills. The staff also gains knowledge through on-the-job training and training from third party experts. For example, if IT audit staff has a skill gap, they co-source consultants from Big 4 audit firms to provide coaching. However, the department still lacks an efficient training model that can support new technology learning and other necessary knowledge. Process and technology There are 2 noteworthy ongoing projects in the internal audit department. These projects focus on the adoption of audit and data analysis tools respectively. For audit tools, they chose Approva BizRight to review segregation of duties in SAP. A Big 4 firm has been hired as a consultant on this project. When the project is completed, it will enable automatic audit tasks to be completed without travel. For data analysis, the internal audit department used to utilize tools such as ACL and Microsoft Access. However, it is looking for more autonomous and efficient tools.. Normally, if internal audits initiate any idea for a project, they have to prove that the idea will work. The project is then transferred to a business unit, which will formally develop and submit it to the related department. 4 In the internal audit vice presidents opinion, business units should be responsible for key controls examination as self monitoring. The internal audit department will provide a self-evaluation questionnaire (SEQ) to evaluate the controls. In 2004, the internal audit team had to focus on SOX and educated the IT organization to prepare documents and controls to support SOX implementation. It took about 2 years to complete this process. After that, the Process Control & Security Team began a segregation of duties and access control project. A steering committee was set up for SAP projects that go on both domestically and internationally. SAP projects implemented internationally use a template approach to facilitate implementation. They also have IDS Scheers ARIS tools on top of SAP to provide business process flow, control definitions, risk control documents, narrative, SAP configurations and common control standards. Using this tool, all controls are harmonized and standardized world- wide. With SAP implementation, most of the IT audit work can be done automatically and centrally on an annual basis. The company expects audit operations to be more efficient and effective within 3 years. Approva BizRight will be set up for segregation of duty review and integrated in the SAP user access provisioning process. The company has Approva Process Insight (PI) tools executed internationally as a pilot, for automated testing of some business process control. SGCC tools ITGC version is used to do automated testing of the SAP configuration setting. Due to the fact that the company uses several platforms such as Unix, AS/400, JDE, PeopleSoft and Oracle, system compatibility and data extraction are problems. The IT internal audit department is still searching for tools suitable for data extraction and data analysis. Generally, the team gets data from the process owners or vendors, and then, processes the data using MS Excel or Access. However, this task is often substituted by manual controls outside SAP. Future directions and challenges In the future, internal audit teams want to see off-the- shelf tools become more sustainable and affordable while requiring less customization, especially those tools that facilitate SAP audit, such as security and segregation of duties. They believe that 70 percent of controls have the potential to be tested remotely. If audit tasks are automated, the cost of control will be reduced. Moreover, data analysis will be done along with control monitoring. Hi-tech Overview In 2002, the company began using SAP and building a set of continuous monitoring tools. A key person came on board as part of the team to develop these tools. This person is a key success of the project. There is a development group under the internal audit department, which is not normal practice for the company. The audit teams are in the process of legitimizing this process by developing a separate working group. The companys internal auditors believe that continuous monitoring saves labor, facilitates processes, and can help identifying solutions. For example, in the previous year, the monitoring process facilitated the SOX audit tasks, and the external auditors can now rely on the internal auditors work. The companys compliance vision is based on three categories of risks: IT Operations Risk (ITIL) Application Risks (systems reliability) Financial Process Risks (transaction processes) The internal audit department implemented an IT Operational & Application Risk dashboard, which deploys the organizations control environment. The most critical system within the company is SAP, which covers and benchmarks 75 percent of the controls. Other systems include PeopleSoft, Baan, AS/400 and JDE. Besides the KPI reporting tool, the internal auditors use MindMapper, ACL, SQL, Risk Assessment and Controls Evaluation (RACE), which has been used for 4-5 years to track audit engagements and working papers. The company has an enterprise data warehouse, containing financial information, but use is limited due to reconciliation issues. In addition, various legacy applications exist for certain applications, such as costing, procurement, pricing, and revenue recognition. Approximately 60 applications are relevant to SOX compliance. People-related There are approximately 30 internal auditors in the head office and about 125 people worldwide. The internal audit department reports directly to the vice president. Approximately 25 percent of the internal auditors and 40 percent of the IT auditors are career auditors. Most have external audit experience before joining the company. The enterprise compliance group focuses on monitoring and periodic independent evaluation for SOX. However, this group is not included under the internal audit department. Process and technology Historically, the company has used Bindview to send information to external auditors. Now, the data is loaded in Excel and uses color coding, which requires much manual intervention. With the emergence of SOX requirements, the company desires more efficient operations, developing an audit benchmark and KPI tool for the internal audit department. The department places much emphasis on both technology and methodology. It also developed a continuous monitoring tool and solution to assist with SOX compliance. The KPI tool utilizes both leading indicators, such as percentage of system uptime, and lagging indicators, such as number of incident tickets. The monitoring tool has the ability to generate graphs that 5 show trends, and can compare with other t-code. The internal audit team generate summary change reports, KPI reports, and many other SAP review documents, within the framework of the in-house system.With the in-house system, the internal audit department. Even though many SAP configurations are customized, standard controls, such as three-way matching, remain. The KPI reporting system used by the auditors is patent protected, and has been used with a financial services client . Data for KPI reports are captured by automated extraction. The KPI benchmark report is generated monthly and compares operations from two periods. Both changed and unchanged controls are shown in this report, and it is divided into sections for easy review. There is a column that links to working papers as well. However, there is no alarm set presently. This tool is built to avoid requiring direct access to data when an internal auditor needs information for analysis, as was the case in past years. There are 25 SAP-based systems installed across the organization. Each instance is managed by a different SAP team, and data extraction is done on a monthly basis using in-house software built on top of the SAP system. Data calculation is then run via the ABAP protocol, and reports are generated. The system can keep aggregated data for at least 13 months and detailed data for 3 months. Only employees responsible for a function related to SAP are granted an SAP user ID. A segregation of duty report can be pulled from the system for review. Segregation of duty rules are either basic, such as those based on t-code and activity code, or based on complex rule tables. Rule changes must be approved by authorized personnel. The company has a control baseline which is re-validated periodically and can be compared to previous periods to assess any change occurred. Future directions The most important challenges of the implementation of this continuous control monitoring framework are audit conservatives, who do not want to change; changes in leadership roles; management buy-in; visibility among the management team; and relationship management. I nsurance Overview The internal audit department focuses on integrated audit and controls embedded in applications, both automated and manual. During this year, the emphasis is on the audit automation, ACL, SQL, matching data, using different tools and professional analysis. Next year, internal audit management plans for more continuous auditing. Although they expect to work on both automated and manual controls, they will focus more on automation. People-related The companys turnover rate is low compared to its peers. There are 185 employees in the Internal Audit department, 50 of whom are international, and 22 of whom are IT auditors. The internal audit department is organized by lines of business. There is a specific internal audit group for each line of business such as finance, and IT. The career path is individualized; for example, 25% of the staff wants to remain at the company for no more than 2 years and then move to a new job, and 30% want to practice and improve their skills. Normally, the company prefers to hire experienced candidates to the internal audit team. Training is provided to each employee according to his/her development plan, which is discussed with the manager, and also based on previous experience. Therefore, there is no standard or required training scheme. Samples of training provided are internal controls , analytical concept, ACL, and SQL. Talent train is a program that rotates people within and outside the internal audit department with business departments. In the management opinion, analytical skill is the most difficult to train. Process and technology The internal audit department has made an effort to automate certain tasks, especially those that are repetitive and high-volume. However, there are still many operations that have yet to be automated, e.g. claim payment processing. The company has several legacy systems that have been in place for many years. The ACL tool has been used for 10 years and training for this tool is provided to staff across the organization. Financial auditors at the company have used ACL for a long time. Other software is utilized for certain tasks, such as SQL and SAS for analytical procedures, Paisley, for the audit test plan, and Galileo, a web-based workflow tool, for working papers. Although Galileo has been used for 2 years, the company is planning to change to Paisley GRC. The IT department is responsible for data extraction, which is done in a secure environment. The challenge is to get the data on time, which depends on task complexity. In addition, some data sets are too large to be efficiently run on laptop computers. The company has frequent reviews, and a very specific audit scope. Even though most of the current reviews are manually performed, the future goal is to automate reviews, increasing coverage, decreasing time spent. Besides internal audit, there are other departments with responsibility related to company internal control and processes, including SOX audit, fraud, compliance, privacy, enterprise risk management and IT risk management. Each unit reports to its head and tasks among different departments often overlap. The company is implementing GRC in the expectation that it will facilitate information sharing between departments. The IT risk management group is responsible for SOX testing, and reports to the IT department. This group performs risk assessment together with IT audit by agreeing on processes, control, and test plans. Future directions 6 Management wants to increase the utilization of analytical process, and would like internal auditors to be able to analyze business processes more concretely. The direction of the internal audit department is to maximize automation for the audit task by piloting more strategic analytic work. The size of the audit organization may be reduced with more automated audit procedures. Bank 1 Overview In the past, the system audit was outsourced to a Big 4 audit firm. Eventually, the company set up an IT infrastructure audit department, hiring experienced staff with Big 4 experience.. Eventually, the team expanded the scope of their mission to include application audits. The internal audit staff report to the audit manager. The company implemented continuous auditing in 2000. People-related There are 14 employees in the continuous auditing unit, including 2 managers. The company plans to hire an additional superintendent in the future. Generally, the company prefers to hire staff with banking experience. The company provides a variety of training for staff, including IT Infrastructure Library (ITIL) foundations, COBIT, IT governance, IT infrastructure, Certified Information System Auditor (CISA), SAS, Resource Access Control Facility (RACF), bank accounting, risk management, ACL, and audit foundation.Additionally, the company coordinates with the university to arrange MBA courses specially designed for the banking industry. The company also sends its staff from several units, such as internal audit, financial audit, risk management, fraud prevention, IT, to attend these MBA courses. Process and technology The company has been implementing continuous auditing for almost 10 years, starting with the retail audit area of each branch by constructing routines in the mainframe, and monitoring iterative processes. The internal audit department has to issue a control risk assessment report to top management. The IT group has access to approximately 1,500 systems. The company monitors over 5 million customer accounts on a daily basis, and the system sends out about 6 thousand alerts a month. Internal auditors analyze the alarm and inform management. Continuous auditing has been implemented for the business processes that are supported by IT systems which are difficult to manually audit. The implementation of continuous auditing also helps improving the timeliness and scope of internal control review. Data extraction is done by the IT group, which has a service level agreement (SLA) with the internal audit group to provide data upon request within an agreed timeframe. Future directions The company plans to adopt a new,integrated IT infrastructure for continuous monitoring. Currently, it uses Focal software to extract reports and data, transforms data into a text file, and works with MS Access and Excel. 6. Analysis of results The companies in this study are leading organizations in different industries. Some sport advanced applications of continuous auditing and continuous monitoring technology, while some are in the preliminary phase of implementation. We hypothesized in the literature review section that adoption of technology and level of access to data for auditing need support from management, internal auditors need sufficient knowledge and skills to efficiently work with the audit-aid tools, and the perceived cost of adoption should have some effects on the decisions of companies. Management support The continuous auditing and continuous monitoring projects require support from management, especially in the areas of access to data and implementation of audit- aid technology. Interviewees reported that internal auditors do not have direct access to the data. In some companies, they need approval from the data owner or management before gaining access and, even then, access is time-limited. Normally, data extraction is done by the IT division according to the auditors request. In companies that have some level of continuous auditing and continuous monitoring systems, most of the data are automatically extracted without human intervention and analyzed by internal auditors. Therefore, data integrity and security is maintained. For project management, the audit-aid technology implementation is initiated and supported by the head of the internal audit department or higher level management. Currently, an internal audit department of each company is responsible for control monitoring, including monitoring exceptional reports and alarms from the system. If there is any irregular or critical alarm, management will be notified. Employee knowledge The continuous auditing and continuous monitoring involve IT to a large degree. Therefore, it is necessary that employees have the technological skills and knowledge required for their work. Some companies have specific software tools that require specialized training, and all of the companies utilize more than one tool. Each company therefore must (and does) provide different types of training to its employees. Some companies have developed standard training courses required to all the employees. Another approach is to offer customized training where the courses to be attended depend on specific needs. One of the companies also cooperates with a university to provide the MBA program necessary for their staff. Training covers general audit knowledge (e.g. 7 internal control, audit methodology, etc.) as well as specific technical knowledge such as data analytic tools, work flow and working paper instruments. In addition, most of the companies prefer experienced staff to join their organization. Several other trends were discovered over the course of our interviews. For instance, various companies have a staff rotation program; some of the internal auditors will rotate in and out from the internal audit department various business departments. We believe that this program will have an effect on the internal audit staffs breadth of knowledge and skill. Furthermore, all of the interviewed companies have a number of audit-like organizations which monitor internal controls in different areas. However, some of the audit areas overlap, and the results of the review are not efficiently shared among them. Perceived cost Perceived cost is the perception of managers on the setup and ongoing costs of continuous auditing and continuous monitoring implementation. From the interviews with internal audit department managers, we found that cost was not identified as a major barrier for the adoption of technology. The internal audit management departments of some companies consider continuous auditing and continuous monitoring important components of advanced audit processes and frequent up- to-date reporting and would like to invest in this technology. For example, some hi-tech and bank organizations have developed specific tools for continuous monitoring and have employed developers to support the continual improvement of internal audit. Regulation and compliance All of the interviewed companies have to comply with SOX, and they have specific divisions to monitor and ensure SOX compliance. There is no explicit relationship between continuous auditing/monitoring implementation and regulatory compliance. However, this technology has tremendous potential to fulfill SOX requirements. SOX review is very detailed, complicated and time consuming, and interviewees reported that CA/CM facilitates the review activities and reduces the time allocated to SOX compliance. For example, the audit department of one company developed a monitoring tool that now reviews the companys ERP system for both general internal control purposes and SOX compliance. This tool helps internal auditors work efficiently and supports comparison and benchmarking of the internal control components. External auditors are therefore able to rely on the work of internal auditors, reducing time effort required from both parties. The assessment and the audit maturity model The audit maturity model (Table 1) was developed to assess the level of continuous auditing and continuous control monitoring adoption in an organization. This model classifies the audit evolution into 4 stages, which are traditional audit, emerging, maturing, and continuous audit, considering 7 domains: objective, approach, IT/data access, audit automation, audit and management sharing, management of audit functions, and analytic methods. Objective: A level of internal audit organization providing financial reports and monitoring internal controls. Approach: Method of audit review, frequency and technique. IT/Data access: Level and frequency of access to the information system and data. Audit automation: The automated level of auditing, usage of technology to assist the audit review cycle. Audit and management sharing: An internal audit department shares systems and resources with management. They have access and utilize the system together. Management of audit function: Degree of cooperation between financial audit and IT audit, collaboration with other compliance departments. Analytic methods: Level of analytical procedure that an internal auditor performs, techniques, and details. Table 1: The audit maturity model Stage 1 Stage 2 Stage 3 Stage 4 Traditional audit Emerging Maturing Continuous audit Objectives Assurance on the financial reports presented by management Effective control monitoring Verification of the quality of controls and operational results Improvements in the quality of data Creation of a critical meta-control structure Approach Traditional interim and year-end audits Traditional approach with some key monitoring processes Usage of alarms as evidence Continuous control monitoring Audit by exception IT/Data access Case=by-case Repeating key Systematic monitoring Complete data access 8 Stage 1 Stage 2 Stage 3 Stage 4 Traditional audit Emerging Maturing Continuous audit basis Data is captured during the audit process extractions on cycles of processes with data capture Audit data warehouse, production, finance, benchmarking and error history Audit automation Manual processes & separate IT audit Audit management software Work paper preparation software Automated monitoring module Alarm and follow-up process Continuous monitoring and immediate response Most of audit automated Audit and management sharing Independent and adversarial Independent with some core monitoring shared Shared systems and resources with natural process synergies Purposeful Parallel systems and common infrastructures Management of audit function Financial organization supervises audit and Matrix to Board of Directors Some degree of coordination between the areas of risk, auditing and compliance IT audit works independently
IA and IT audit coordinate risk management and share automatic audit processes Auditing links financial data to operational processes
Centralized and integrated with risk management, compliance and SOX/ layer with external audit. Analytical methods Financial ratios Financial ratios at sector level/account level KPI level monitoring Structural continuity equations Monitoring at transaction level
Corporate models of the main sectors of the business Early warning system
The current level of a continuous auditing and continuous monitoring of most of the companies are classified between stage 1 and 2 of the model. There is tremendous opportunity for the companies to progress toward the higher stages. Companies can deploy more automated tools to support an audit review process, enhance analytical procedures, invest in IT and personnel, and improve the level of cooperation between each unit. Graph 1: The current level of the adoption of a continuous auditing and continuous monitoring of the companies
Traditional Emerging Maturing Continuous 9 7. Conclusion With the emergence of a continuous auditing and continuous monitoring methodology, an ongoing, timely review of financial data and internal control of the company is enhanced. From interviews with internal audit managers of leading organizations, we gained an understanding of the status of technology adoption and development in this area. There are some factors that affect the adoption, including management support, perceived costs, regulatory environment, and employee knowledge. To perform an audit review and data analysis efficiently, an internal auditor needs a certain level of information system and data access either via application programs or via extractions by the IT department. Generally, internal auditors are responsible for monitoring the internal controls with a continuous control monitoring technology, and reporting any exception to management. Thus, next-generation internal auditors will require some knowledge about the technology being used and current audit practice. For that purpose, training is provided to support their work and enhance their ability. Continuous auditing and continuous control monitoring technology also facilitate SOX compliance. Field work and iterative tasks can be reduced. All of the internal audit departments have tools and audit automation to support their work, e.g. electronic working papers and data analysis tools. Some companies are more advanced and have a continuous monitoring tool and an alarm system. Based on the result of the interviews, the companies can be classified according to the audit maturity model to evaluate the status of continuous auditing and continuous monitoring. Most of them are ranked between stage 1, traditional audit, and stage 2, emerging. This means that although they have certain level of CA/CM, they are still in the initial phrase, and there is opportunity for development in the future. This result contrasts strikingly with the PwC survey, which states that a large number of companies have continuous auditing in place. Small sample size limits the generalizability of this study. Our research can be extended in two ways. First, a structural survey research can be conducted to get more details on the characteristics and behavior of technology adoption by organizations. Additional measurements can be included, and the questionnaire method will result in a larger sample size than the interview technique we employed. Second, the a follow-up interview with the organizations would provide useful time-series data regarding technology adoption trends and progress. Appendix A Continuous Monitoring / Auditing site visit introductory questions: Each individual best practice organization data gathering should begin with the following general questions and followed by questions regarding people, process, technology, and future directions. To be used as appropriate, the APPENDIX provides additional detailed questions regarding CA/CM usage of specific tools. 1. Overview questions: a. How would you describe the current state of continuous monitoring / auditing in your organization? Discuss CM and CA separately. b. How are continuous monitoring / auditing techniques used in the organization? c. What specific applications [i.e. combination of people, process and technology] have been implemented? d. Has the focus been on controls or transaction monitoring (or both)? 2. People-related questions: a. How much attention does management pay to exception reporting from the CA/CM tools? b. Identify the resources required by the organization to utilize CA/CM and the demands imposed on the clients human and IT resources. c. How would you describe the mix of skills necessary for a successful CM and CA capability? How much effort does it take to obtain/change this skills base to accommodate change? d. Training-related questions: i. Were personnel in the organization trained in the use or interpretation of CA/CM? From what functions? ii. What kind of training was provided and by whom? iii. Evaluation of the CA/CM training: e. Was the amount of time assigned to training sufficient? f. What difficulties were encountered in the training process? How were they overcome? 3. Process-related questions: a. To what extent is the CA/CM system used by operational managers for monitoring of business processes? b. How should existing audit/control procedures be modified to increase the utilization of technology in monitoring / audit (e.g. timing, nature or extent)? c. Did regulation and compliance affect the decision to adopt CA/CM? (e.g. SOX 404) d. Has CA/CM had an impact on Control Self Assessment (CSA) (if used)? If so, how? e. Does the implementation of CA/CM aid the organizations compliance efforts as expected? 4. Technology-related questions: a. What is the degree of automation in the CA/CM process? What percentage of prior audit procedures have been switched from manual to automated? b. How did the organization select the technology to adopt? What criteria were used and who had the final authorization authority? 10 c. Discuss the quality of the data extracted from the companys ERP, legacy or data warehouse ready to be used by the CA/CM tools? How have these improved? Plans for further improvement? 5. Future directions: a. What is planned over the next two years to expand or improve in either the monitoring or auditing arenas? b. To what extent does the current audit methodology and guidance inhibit a fuller adoption of CA/CM tools? Same question re monitoring? c. What are the barriers to more widespread use of CA/CM technology? Additional detailed questions regarding CA/CM usage to be used with interviews around specific projects or applications. 1. Usage characteristics: a. What kinds of transactions can be analyzed using CA/CM? b. Is data extraction done in real time or on an extract and analyze basis? c. Were the CA/CM extraction and analysis tools run by specialists or by the audit team? 2. Experience with the use of CA/CM: a. How do you ensure data integrity? b. How has CA/CM improved the quality and reliability of the evidence obtained? 3. What barriers were there in using the CA/CM tools effectively and efficiently? 4. Data extraction a. How easy was it to extract the data from the system? What tools were used in data extraction? b. If it was difficult to extract the data, describe the difficulties encountered. c. How were the accuracy, completeness and validity of the extracted data verified? References Arnold, V., and S. Sutton. 1998. The Theory of Technology Dominance: Understanding the impact of intelligent decisions aids on decision makers judgments. Advances in Accounting Behavioral Research 1: 175-194. Behn, B. K., D. L. Searcy, J.B. Woodroof. 2006. A Within Firm Analysis of Current and Expected Future Audit Lag Determinants. Journal of Information Systems 20 (1): 65-86. Canadian Institute of Chartered Accountants. 1999. Research Report on Continuous Auditing. Toronto, Canada. Gray, W.B., and R.J. Shadbegian. 1998. Environmental Regulation, Investment Timing, and Technology Choice. Journal of Industrial Economics 46(2): 235-256. Karahanna, E., S.W. Detmar, and N.L. Chervany. 1999. Information Technology Adoption Across Time: A Cross- Sectional Comparison of Pre- Adoption and Post-Adoption Beliefs. MIS Quarterly 23 (2): 183-213. Hall, B.H., and B. Khan. 2003. Adoption of New Technology. University of California, Berkeley working papers (May). Handscombe, K. 2007. Continuous Auditing From a Practical Perspective. Information Systems Control journal 2. Heffes, E.M. 2006. Theory to practice: continuous auditing gains. Financial Executive:17-18. Janvrin, D., J. Bierstaker, and J.D. Lowe. 2008. An Examination of Audit Information Technology Use and Perceived Importance. Accounting Horizons 22 (1): 1-21. Lai, V.S., and J.L. Guynes. 1997. An Assessment of the Influence of Organizational Characteristics on Information Technology Adoption Decision: A Discriminative Approach. IEEE Transactions on Engineering Management 44 (2). OReilly, A. 2006. Continuous Auditing: Wave of the future?. Corporate Board (September): 24-26. PricewaterhouseCoopers. 2006.State of the internal audit profession study: Continuous auditing gains momentum. PricewaterhouseCoopers. Sarva, S. 2006. Continuous Auditing Through Leveraging Technology. Information System Control Journal 2. Searcy, D., and J. Woodroof. 2001. Continuous Audit Implications of Internet Technology: Triggering Agents Over the Web in the Domain of Debt Covenant Compliance. Proceedings of the 34th Hawaii International Conference on System Sciences.
Searcy, D., and J. Woodroof. 2003. Continuous Auditing: Leveraging Technology. The CPA journal (May). Searcy, D., J. Woodroof, and B. Behn. 2002. Continuous Audit: The Motivations, Benefits, Problems, and Challenges Identified by Partners of a Big 4 Accounting Firm. Proceedings of the 36th Hawaii International Conference on System Sciences (HICSS03). Taylor, M., and A. Murphy. 2004. SMEs and E-business. Journal of Small Business and Enterprise Development 11 (3): 280-289. Troshani, I., and B. Doolin. 2005. Drivers and Inhibitors Impacting Technology Adoption: A Qualitative Investigation into the Australian Experience with XBRL. 18th Bled eConference eIntegration in Action, Bled, Slovenia.